Mahasaraswati
Mahasaraswati or Saraswati is a ransomware that runs on Microsoft Windows. It is part of the Troldesh family. Payload Transmission Mahasaraswati is distributed through an executable file, saraswati.exe, which may be distributed using common threat delivery methods. Infection During encryption, Mahasaraswati appends the name of each encrypted file with the .id-USER’S ID.{mahasaraswati(@)india.com}.xtbl extension. Furthermore, this ransomware creates two files (.jpg and .txt) each named "How to decrypt your files", placing them in each folder containing the compromised files. These files contain identical messages stating that the files have been encrypted and that victims must contact cyber criminals via an email address provided to restore them. Research shows that Mahasaraswati encrypts victims' files using the asymmetric encryption algorithm. Therefore, private and public keys are generated during encryption - public key to encrypt, and private to decrypt. Since it is impossible to restore encrypted files without the private key, cyber criminals encourage victims to buy this key, which is stored on remote servers controlled by cyber criminals. After contacting the email address provided, victims supposedly receive detailed information about payment. The size of ransom is equivalent to 3 Bitcoins ($1332.15~), however, this will increase by 2 Bitcoins every 24 hours. Therefore, the longer victims take to pay, the higher the ransom. Developers of Mahasaraswati offer decryption of a number of files (up to 10 Mb in total, but only .txt, or .jpg files) free of charge to prove that decryption is actually possible. The email reply also contains all payment instructions. Text presented in Mahasaraswati desktop wallpaper: Keep calm, my friend. All your data is encrypted. TO get the key write on email mahasaraswati(@)india.com Ransom demand message (presented in “How to decrypt your files.txt” and “How to decrypt your files.jpg” files): Good morning, dear friend! We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection. We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk. All your files are encrypted and can not be accepted back without our professional help. Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter. And so our high-grade and quick service is not free. Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins. You should buy bitcoins here hxxps://localbitcoins.com/faq Read the paragraphs: 1. How to buy Bitcoins? 2. How do I send Bitcoins and how can I pay with Bitcoins after buying them? The Bitcoin wallet for payment is 1DGMeKSALSkYGkedYDUgcvV8mP77WEGusQ After the transfer of bitcoins please send email with screenshot of the payment page. We does not advise you to lose time, because the price will encrese with each passing day. As proof of our desire and readiness to help you, we can decipher a few of your files for test. To check this you can upload any encrypted file on web site dropmefiles.com, size no more than 10 MB (only text file or a photo) and send us a download link. Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety. Kind regards, Saraswati. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan